Skip to content
The Security Editor

Encryption

Full-disk encryption on every platform: what's on, what to turn on, and what it doesn't protect

BitLocker, FileVault, and LUKS in plain English. On modern consumer hardware, full-disk encryption is often already enabled — this article covers how to verify it, how to configure it properly, and what threats it genuinely protects against.

By Alex Trustwell 5 min read beginner
On this page
  1. What FDE actually does
  2. macOS: FileVault
  3. Windows: BitLocker and Device Encryption
  4. Linux: LUKS
  5. Cross-platform considerations
  6. What to turn on today

Full-disk encryption (FDE) is one of those quiet, boring technologies that has changed the landscape of lost and stolen computers. A decade ago, most laptops were unencrypted, and a stolen laptop was a small data breach. Today, on modern Mac and Windows hardware, FDE is usually on by default, and a stolen laptop is — for most purposes — an expensive paperweight.

“Usually” is the key word. This article covers the three mainstream platforms, how to verify encryption is actually on, and the one or two configuration choices that matter.

What FDE actually does

Full-disk encryption means that everything written to your storage device is encrypted with a symmetric key (almost always AES-256). When your computer is off, the disk is a wall of noise. When it is on and unlocked, the OS has the key loaded, and files are decrypted on the fly as they are read.

The threats FDE addresses are specifically physical:

  • Laptop lost or stolen while powered off or asleep on disk.
  • Hard drive pulled from the device and attached to another computer.
  • Drive sent for warranty repair without a wipe.
  • Old device given away, sold, or recycled without sanitization.

The threats FDE does not address:

  • Malware running on your computer while you are logged in (your disk is unlocked; the malware can read it like any other application).
  • An attacker who has your password.
  • Remote attacks over the network.
  • A rubber-hose attack where somebody compels you to unlock the device.
  • Evil-maid attacks in high-threat environments (tamper with bootloader; capture password on next boot), unless you have additional measures like Secure Boot and a TPM-bound key.

FDE is a lower-bound protection. It is genuinely important, it is mostly free, and it should be on on every device you own.

macOS: FileVault

FileVault has been on by default for new Mac users since 2018. On Apple-silicon Macs (M1 and later), the underlying hardware architecture means the disk is effectively always encrypted with a device-bound key; enabling FileVault adds the user password as a requirement for decryption at boot.

To verify:

  1. Apple menu → System Settings → Privacy & Security → FileVault.
  2. If it says “FileVault is turned on”, you’re done.

When you first enabled FileVault, you were asked to store a recovery key. Options:

  • Store in iCloud — convenient, but ties the recovery path to your Apple ID.
  • Create a local recovery key (a 24-character string) — more control, more responsibility.

If you went with “store in iCloud”, that’s fine for most people. If you want the local recovery key, the one place you must not keep it is the same Mac. Print it. Put it in a safe, a safe-deposit box, or a trusted password manager account.

Windows: BitLocker and Device Encryption

Windows has two things that are sometimes called the same thing. Both use the same underlying technology (AES on a BitLocker volume), but they have different configuration surfaces:

  • BitLocker is the full-featured version, available on Windows Pro, Enterprise, and Education editions. You can configure it, disable it, select key protectors, and manage recovery keys in detail.
  • Device Encryption is a limited variant available on Windows Home editions on hardware that meets Modern Standby requirements. It turns on automatically when you sign in with a Microsoft account; the recovery key is stored in your Microsoft account online.

To check (Windows 11):

  1. Settings → Privacy & security → Device encryption (Home) or BitLocker drive encryption (Pro).
  2. If it says “on”, note which drives are encrypted.

If you bought your computer new and signed in with a Microsoft account, there’s a very good chance Device Encryption is already on and a recovery key is already saved to your account. To find it, go to https://account.microsoft.com/devices/recoverykey in a browser while signed in.

For BitLocker on a Pro system, you can configure:

  • PIN at boot — requires a short numeric PIN in addition to TPM. Protects against someone who has your powered-off laptop and your login password.
  • Recovery key export — to a printed page or a USB drive, in addition to (or instead of) the account-based key.
  • XTS-AES 256 — the modern BitLocker mode, preferred over the older AES-CBC.

Linux: LUKS

On Linux, the overwhelmingly dominant choice is LUKS (Linux Unified Key Setup), layered over dm-crypt. Every major distribution’s installer offers it, typically as a checkbox labeled “Encrypt the new install” or similar. Pick a long passphrase during install.

LUKS will accept multiple “key slots” — up to eight passphrases or keyfiles that can unlock the same disk. This is how you handle shared machines (each user has their own key slot), backup keys (one slot is a high-entropy keyfile stored on a USB drive in a safe), and recovery (one slot is a known passphrase stored offline).

Verification:

sudo cryptsetup status /dev/mapper/<your-root-volume>

The output will name the cipher, key size, and mode. You want something like aes-xts-plain64 with a 512-bit key (which is AES-256 XTS).

Cross-platform considerations

  • Write down the recovery key, physically, somewhere that is not the device. Not emailed to yourself. Not in the same cloud account that the device logs into. Not on a sticky note under the keyboard. The single most common FDE disaster is “encryption worked; nobody can unlock it anymore”.
  • External drives. FDE on the internal drive does not extend to external drives you plug in. Use VeraCrypt containers, BitLocker To Go (Windows), or encrypted APFS (macOS) for portable drives that carry sensitive files.
  • Cloud backups do not preserve disk encryption. Backup software reads your decrypted files and uploads them. If you want the backup to be encrypted, you rely on the backup tool’s own encryption (ideally with a key only you hold), not on FDE.
  • Power off, do not sleep, if you are crossing a border or leaving a laptop somewhere risky. FDE protects a powered-off device; a sleeping device has the key in RAM.

What to turn on today

  1. macOS: confirm FileVault. Print or securely store the recovery key.
  2. Windows: confirm Device Encryption (Home) or BitLocker (Pro). Export the recovery key to a printed page or a USB drive in a safe.
  3. Linux: encrypt at install time with LUKS. Add a backup key slot with a keyfile stored separately.
  4. External drives with sensitive documents: encrypt them, too.

For most readers, the entire exercise takes twenty minutes and is the single highest-leverage security investment you will make this year.

Sources

  1. NIST SP 800-111 — Guide to Storage Encryption Technologies for End User Devices
  2. Microsoft — BitLocker Overview
  3. Apple — FileVault Overview (Apple Platform Security)
  4. Arch Linux Wiki — Data-at-rest encryption